Metasploit has been called a lot of things depending on which side of
the IT security equation you call home but the reality is that it is a
powerful tool for use by both security professionals and their
adversaries. It both automates and provides building blocks for
attacks against the assets we are charged to protect.

Previously, documentation on Metasploit was fragmented and rather
obscure as it tended to be scattered across a wide universe of project
wikis, articles and folklore. This book provides a solid starting
point for becoming familiar with the capabilities and use of this tool
whether one is a penetration tester or charged with defending
information assets.

It is a technical book and requires s good understanding of systems
and software to derive maximum benefit. Its presentation is heavily
based on examples that illustrate the tools in operation. An appendix
(which paradoxically should be the first thing you read) explains how
to build exploitable Windows and Linux env ironments to support
working through the examples.

The worked-out examples are based, I believe, on Back|Track 4 so if
the reader is using Back|Track 5, as I was, there will be some
required minor translations of directory locations, etc, to reflect
the new release.

As with any book by multiple authors, there is some unevenness in
presentation. Some examples are written from a tutorial perspective
while others just paint the major signposts along the way. There are
also some production issues such as a missing figure on page 83 and a
duplication of figure 14-1 as 14-4. There is also rather of a howler
on page 216 where the ESP register is described as the extended
"starter pointer" instead of "stack pointer". However, these are
definitely minor blemishes.

The book provides an excellent overview of the state of the art in
exploitation of both technical and human vulnerabilities. The
presentation in chapter 10 on "The Social Engineer's Toolkit" (SET) is
a sobering walk through of how human behavior can be exploited to
achieve an adversary's result. The discussion of how SET can be used
in combination with a hardware device such as the Teensy USB
microcontroller illustrates just how inventive our adversaries have
become.

The final chapter of the book presents a detailed walkthrough of
Metasploit's use in a simulated penetration test.

The book leaves the reader with a shocking appreciation of just how
easy it is to perform these attacks with the proper tools. While
Metasploit makes some attacks so simple that a "script kiddie" could
mount them, its truly frightening capabilities lie in the framework's
building blocks for constructing powerful, blended attacks worthy of
the true professional. Whether you are a penetration tester or a
technical security professional, quality time spent working through
this book will add valuable tools and insight to your professional
repertoire.

Before beginning life as a university instructor and independent
cybersecurity consultant, Richard Austin
(http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in
positions ranging from software developer to security architect. He
welcomes your thoughts and comments at raustin2 at spsu dot edu